Author
Topic: How safe is your personal data? (Read 3807 times)

Have you been hacked? This week we examine the risks from public WiFi, why the Internet of Things is jeopardising the security of your home, the threats frequently lurking inside innocent-looking documents, what your mobile phone says to cybercriminals without your say-so and the new method of marketing: you compromise your competitor's website. Plus, in the news, an update on ebola, do bereaved people really die of a broken heart, and DNA points the finger at a Jack the Ripper suspect...

Have you been hacked? This week we examine the risks from public WiFi, why the Internet of Things is jeopardising the security of your home, the threats frequently lurking inside innocent-looking documents, what your mobile phone says to cybercriminals without your say-so and the new method of marketing: you compromise your competitor's website. Plus, in the news, an update on ebola, do bereaved people really die of a broken heart, and DNA points the finger at a Jack the Ripper suspect...

I'm surprised this hasn't generated more replies. I'm specifically responding to the interview with Daniel Cuthbert from Sensepost. He claimed that if a mobile device connects to online banking over an insecure network the data could be intercepted by whoever controls the network. But any online banking portal will be using SSL encryption, which both encrypts the data and conducts end-to-end authentication of the connection, to make sure you really are connected to your bank, and not an imposter in between. So I don't understand why there is a problem, provided that I don't get sent to a fraudulent imposter site (which I would know because my browser would warn me), and the security certificates are valid (again, browser trust is important, but a malicious network can't break that).

Everyone then suggests installing a VPN to encrypt traffic, off to another server which is hopefully controlled by someone trustworthy - and not by a scam merchant taking my money and getting a much higher level of access to monitor and intercept my traffic (as it exists their servers) as well.

It also isn't clear to me why a malicious network won't just intercept (via a man-in-the-middle compromise) a VPN connection as easily as an SSL connection, except that VPN clients are much more niche applications with much less information about how they are secured.

Mia Alexiou (Software Engineer)

I usually love your podcast but I felt disappointed by the sensationalist and disingenuous information provided by the security experts in this episode. Most sites and apps that serve sensitive information (including banking, facebook, gmail etc) use ssl to encrypt data and thus keep users safe - even over malicious networks. While it is certainly a good idea to avoid connecting to malicious networks it is not the calamity that this episode made it out to be. Rather than freaking people out it would have been better to teach users what ssl is and why they should be weary of untrusted certificates and websites/apps that do not use ssl.

The “S” added to the end of the “HTTP” means SECURE.(Or at least it was supposed to.)

The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted . . . and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true ...

Always and only write cheques. Online banking wastes your time instead of the bank's, which is why they promote it.

And remember if the bank says that your security has been compromised, or someonme has forged your signature, it's prima facie their fault because it's their security system that they insisted you should use: the contract is for the bank to pay on your order alone, and if they can't be bothered to verify the order, they have broken the contract.

Truly personal data is an odd thing. If you visit a hospital or a dentist, your digital x-rays will be stored for ever under a couple of layers of password, which will waste everyone's time and contribute nothing to your treatment (oldfashioned film x-rays were thrown away after 2 years because they are mostly irrelevant), but your presence in whatever clinic will be on public view*, and there's no mistaking the plaster on your leg or your shiny new teeth, and the really important stuff like vital signs, drugs, history, etc., will be written on a paper file that anyone can read until it is lost.

*Just to make absolutely sure, they pay a nurse to walk into the waiting area and shout your name!

Whatever encryption you use, given enough compute power (and brain power), it can be broken.

With the exponential increase in computer power, this often happens quite quickly.

The GSM mobile system used a 56-bit encryption called DES, which was effectively weakened criminals could not use it. It then became crackable by ordinary computers while GSM was still actively used.

The earliest form of WiFi encryption can now be easily cracked

But the biggest security risk is people who leave their home WiFi router with no encryption at all.

Public WiFI hotspots intentionally use no encryption (so anyone can use them), but this also means that other people with suitable software on their computer can see what you are doing

In the end it is a balance between the occasional inconvenience of turning on encryption in your browser vs the occasional inconvenience of someone breaking your computer, or stealing your banking details.

The Naked Scientists® and Naked Science® are registered trademarks.
Information presented on this website is the opinion of the individual contributors
and does not reflect the general views of the administrators, editors, moderators,
sponsors, Cambridge University or the public at large.